Malware Analysis Report

2024-12-07 07:57

Sample ID 241113-mm9l5azkfs
Target Triage.zip
SHA256 cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b
Tags
xmrig miner upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b

Threat Level: Known bad

The file Triage.zip was found to be: Known bad.

Malicious Activity Summary

xmrig miner upx

xmrig

Xmrig family

XMRig Miner payload

Suspicious use of SetThreadContext

UPX packed file

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-13 10:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2492 set thread context of 4024 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 83.23.94.141.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.31.169.57:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4024-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-8-0x00000000006C0000-0x00000000006E0000-memory.dmp

memory/4024-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-16-0x0000000000AF0000-0x0000000000B10000-memory.dmp

memory/4024-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4024-22-0x00000000130D0000-0x00000000130F0000-memory.dmp

memory/4024-21-0x0000000002450000-0x0000000002470000-memory.dmp

memory/4024-24-0x00000000130D0000-0x00000000130F0000-memory.dmp

memory/4024-23-0x0000000002450000-0x0000000002470000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win10v2004-20241007-en

Max time kernel

1798s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3828 set thread context of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2588-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-8-0x0000000000B90000-0x0000000000BB0000-memory.dmp

memory/2588-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-16-0x0000000012D60000-0x0000000012D80000-memory.dmp

memory/2588-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2588-21-0x00000000132A0000-0x00000000132C0000-memory.dmp

memory/2588-22-0x00000000134D0000-0x00000000134F0000-memory.dmp

memory/2588-23-0x00000000132A0000-0x00000000132C0000-memory.dmp

memory/2588-24-0x00000000134D0000-0x00000000134F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win7-20240903-en

Max time kernel

246s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3048 set thread context of 2924 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2924-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-8-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2924-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-17-0x0000000001B90000-0x0000000001BB0000-memory.dmp

memory/2924-16-0x0000000000540000-0x0000000000560000-memory.dmp

memory/2924-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2924-19-0x0000000001B90000-0x0000000001BB0000-memory.dmp

memory/2924-18-0x0000000000540000-0x0000000000560000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:07

Platform

win11-20241007-en

Max time kernel

1800s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2680 set thread context of 3924 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 103.232.37.54.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3924-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-8-0x0000000001200000-0x0000000001220000-memory.dmp

memory/3924-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-16-0x0000000002AE0000-0x0000000002B00000-memory.dmp

memory/3924-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3924-22-0x0000000013940000-0x0000000013960000-memory.dmp

memory/3924-21-0x0000000013710000-0x0000000013730000-memory.dmp

memory/3924-24-0x0000000013940000-0x0000000013960000-memory.dmp

memory/3924-23-0x0000000013710000-0x0000000013730000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4488 set thread context of 4004 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
DE 51.89.23.91:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 91.23.89.51.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4004-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-8-0x0000000002560000-0x0000000002580000-memory.dmp

memory/4004-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-16-0x0000000012C80000-0x0000000012CA0000-memory.dmp

memory/4004-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-21-0x00000000131D0000-0x00000000131F0000-memory.dmp

memory/4004-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4004-22-0x0000000013400000-0x0000000013420000-memory.dmp

memory/4004-23-0x00000000131D0000-0x00000000131F0000-memory.dmp

memory/4004-24-0x0000000013400000-0x0000000013420000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win7-20240903-en

Max time kernel

247s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 584 set thread context of 352 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/352-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-8-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/352-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-16-0x0000000000230000-0x0000000000250000-memory.dmp

memory/352-17-0x0000000000250000-0x0000000000270000-memory.dmp

memory/352-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/352-18-0x0000000000230000-0x0000000000250000-memory.dmp

memory/352-19-0x0000000000250000-0x0000000000270000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win10ltsc2021-20241023-en

Max time kernel

1800s

Max time network

1810s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4196 set thread context of 3856 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 224.58.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.199.58.43:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3856-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-8-0x0000000000BE0000-0x0000000000C00000-memory.dmp

memory/3856-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-16-0x00000000012E0000-0x0000000001300000-memory.dmp

memory/3856-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3856-21-0x00000000136C0000-0x00000000136E0000-memory.dmp

memory/3856-22-0x00000000138F0000-0x0000000013910000-memory.dmp

memory/3856-23-0x00000000136C0000-0x00000000136E0000-memory.dmp

memory/3856-24-0x00000000138F0000-0x0000000013910000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5240 set thread context of 5256 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
FR 146.59.154.106:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/5256-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-8-0x0000000000610000-0x0000000000630000-memory.dmp

memory/5256-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-16-0x0000000002300000-0x0000000002320000-memory.dmp

memory/5256-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5256-21-0x0000000012DF0000-0x0000000012E10000-memory.dmp

memory/5256-22-0x0000000013020000-0x0000000013040000-memory.dmp

memory/5256-23-0x0000000012DF0000-0x0000000012E10000-memory.dmp

memory/5256-24-0x0000000013020000-0x0000000013040000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2520 set thread context of 4064 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4064-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-8-0x0000000000A20000-0x0000000000A40000-memory.dmp

memory/4064-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-16-0x0000000000A50000-0x0000000000A70000-memory.dmp

memory/4064-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4064-21-0x0000000012F40000-0x0000000012F60000-memory.dmp

memory/4064-22-0x0000000013170000-0x0000000013190000-memory.dmp

memory/4064-23-0x0000000012F40000-0x0000000012F60000-memory.dmp

memory/4064-24-0x0000000013170000-0x0000000013190000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win10ltsc2021-20241023-en

Max time kernel

1800s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3776 set thread context of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 103.232.37.54.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.199.58.43:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1968-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-8-0x00000000003E0000-0x0000000000400000-memory.dmp

memory/1968-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-16-0x0000000000760000-0x0000000000780000-memory.dmp

memory/1968-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1968-21-0x0000000012E30000-0x0000000012E50000-memory.dmp

memory/1968-22-0x0000000013060000-0x0000000013080000-memory.dmp

memory/1968-23-0x0000000012E30000-0x0000000012E50000-memory.dmp

memory/1968-24-0x0000000013060000-0x0000000013080000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win7-20241010-en

Max time kernel

231s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3012 set thread context of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2140-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-8-0x0000000000040000-0x0000000000060000-memory.dmp

memory/2140-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-17-0x00000000003F0000-0x0000000000410000-memory.dmp

memory/2140-16-0x00000000003D0000-0x00000000003F0000-memory.dmp

memory/2140-19-0x00000000003F0000-0x0000000000410000-memory.dmp

memory/2140-18-0x00000000003D0000-0x00000000003F0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2348 set thread context of 4520 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 130.193.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4520-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-8-0x00000000004D0000-0x00000000004F0000-memory.dmp

memory/4520-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-16-0x0000000002240000-0x0000000002260000-memory.dmp

memory/4520-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4520-22-0x0000000012ED0000-0x0000000012EF0000-memory.dmp

memory/4520-21-0x0000000002260000-0x0000000002280000-memory.dmp

memory/4520-23-0x0000000002260000-0x0000000002280000-memory.dmp

memory/4520-24-0x0000000012ED0000-0x0000000012EF0000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win10ltsc2021-20241023-en

Max time kernel

1800s

Max time network

1802s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4408 set thread context of 1688 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.89.23.91:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 91.23.89.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.31.169.57:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1688-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-8-0x00000000007E0000-0x0000000000800000-memory.dmp

memory/1688-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-16-0x0000000012A40000-0x0000000012A60000-memory.dmp

memory/1688-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1688-22-0x00000000134E0000-0x0000000013500000-memory.dmp

memory/1688-21-0x00000000132B0000-0x00000000132D0000-memory.dmp

memory/1688-23-0x00000000132B0000-0x00000000132D0000-memory.dmp

memory/1688-24-0x00000000134E0000-0x0000000013500000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win7-20240708-en

Max time kernel

1800s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2096 set thread context of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.137.114:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2940-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2940-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2940-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2940-8-0x0000000000160000-0x0000000000180000-memory.dmp

memory/2940-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2940-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2940-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2940-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2940-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2940-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2940-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2940-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2940-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2940-16-0x0000000002300000-0x0000000002320000-memory.dmp

memory/2940-17-0x0000000002320000-0x0000000002340000-memory.dmp

memory/2940-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2940-18-0x0000000002300000-0x0000000002320000-memory.dmp

memory/2940-19-0x0000000002320000-0x0000000002340000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win7-20241010-en

Max time kernel

239s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2580 set thread context of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 163.172.154.142:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2964-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2964-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2964-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2964-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2964-8-0x00000000000C0000-0x00000000000E0000-memory.dmp

memory/2964-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2964-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2964-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2964-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2964-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2964-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2964-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2964-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2964-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2964-17-0x00000000020F0000-0x0000000002110000-memory.dmp

memory/2964-16-0x0000000001FC0000-0x0000000001FE0000-memory.dmp

memory/2964-18-0x0000000001FC0000-0x0000000001FE0000-memory.dmp

memory/2964-19-0x00000000020F0000-0x0000000002110000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win10v2004-20241007-en

Max time kernel

1800s

Max time network

1802s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2748 set thread context of 1324 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 103.232.37.54.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1324-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-8-0x0000000001310000-0x0000000001330000-memory.dmp

memory/1324-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-16-0x00000000131E0000-0x0000000013200000-memory.dmp

memory/1324-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1324-22-0x0000000013950000-0x0000000013970000-memory.dmp

memory/1324-21-0x0000000013720000-0x0000000013740000-memory.dmp

memory/1324-23-0x0000000013720000-0x0000000013740000-memory.dmp

memory/1324-24-0x0000000013950000-0x0000000013970000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win7-20240729-en

Max time kernel

1800s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1896 set thread context of 2560 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.137.114:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2560-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-8-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2560-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-17-0x0000000001B70000-0x0000000001B90000-memory.dmp

memory/2560-18-0x0000000001B90000-0x0000000001BB0000-memory.dmp

memory/2560-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2560-20-0x0000000001B70000-0x0000000001B90000-memory.dmp

memory/2560-21-0x0000000001B90000-0x0000000001BB0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2120 set thread context of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2840-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-8-0x0000000000EA0000-0x0000000000EC0000-memory.dmp

memory/2840-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-16-0x0000000000F50000-0x0000000000F70000-memory.dmp

memory/2840-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-22-0x00000000135C0000-0x00000000135E0000-memory.dmp

memory/2840-21-0x0000000013390000-0x00000000133B0000-memory.dmp

memory/2840-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-23-0x0000000013390000-0x00000000133B0000-memory.dmp

memory/2840-24-0x00000000135C0000-0x00000000135E0000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1802s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4472 set thread context of 2256 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 51.15.58.224:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 224.58.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2256-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-8-0x0000000000B70000-0x0000000000B90000-memory.dmp

memory/2256-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-16-0x00000000025A0000-0x00000000025C0000-memory.dmp

memory/2256-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2256-21-0x00000000025C0000-0x00000000025E0000-memory.dmp

memory/2256-22-0x00000000133C0000-0x00000000133E0000-memory.dmp

memory/2256-23-0x00000000025C0000-0x00000000025E0000-memory.dmp

memory/2256-24-0x00000000133C0000-0x00000000133E0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5876 set thread context of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 146.59.154.106:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 106.154.59.146.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4828-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-8-0x00000000012A0000-0x00000000012C0000-memory.dmp

memory/4828-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-16-0x0000000001350000-0x0000000001370000-memory.dmp

memory/4828-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4828-22-0x00000000139E0000-0x0000000013A00000-memory.dmp

memory/4828-21-0x00000000013C0000-0x00000000013E0000-memory.dmp

memory/4828-24-0x00000000139E0000-0x0000000013A00000-memory.dmp

memory/4828-23-0x00000000013C0000-0x00000000013E0000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1564 set thread context of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3296-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-8-0x00000000012A0000-0x00000000012C0000-memory.dmp

memory/3296-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-16-0x0000000012F20000-0x0000000012F40000-memory.dmp

memory/3296-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-22-0x00000000139E0000-0x0000000013A00000-memory.dmp

memory/3296-21-0x00000000137B0000-0x00000000137D0000-memory.dmp

memory/3296-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3296-23-0x00000000137B0000-0x00000000137D0000-memory.dmp

memory/3296-24-0x00000000139E0000-0x0000000013A00000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3412 set thread context of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 83.23.94.141.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1004-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-8-0x0000000000B20000-0x0000000000B40000-memory.dmp

memory/1004-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-16-0x0000000000E60000-0x0000000000E80000-memory.dmp

memory/1004-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-20-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1004-22-0x0000000013460000-0x0000000013480000-memory.dmp

memory/1004-21-0x0000000013230000-0x0000000013250000-memory.dmp

memory/1004-23-0x0000000013230000-0x0000000013250000-memory.dmp

memory/1004-24-0x0000000013460000-0x0000000013480000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:07

Platform

win11-20241007-en

Max time kernel

1798s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3780 set thread context of 1880 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1880-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-8-0x0000000000AA0000-0x0000000000AC0000-memory.dmp

memory/1880-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-16-0x0000000002480000-0x00000000024A0000-memory.dmp

memory/1880-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1880-22-0x00000000131D0000-0x00000000131F0000-memory.dmp

memory/1880-21-0x0000000012FA0000-0x0000000012FC0000-memory.dmp

memory/1880-24-0x00000000131D0000-0x00000000131F0000-memory.dmp

memory/1880-23-0x0000000012FA0000-0x0000000012FC0000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5044 set thread context of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1712-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-8-0x0000000002470000-0x0000000002490000-memory.dmp

memory/1712-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-16-0x0000000002520000-0x0000000002540000-memory.dmp

memory/1712-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-21-0x00000000130C0000-0x00000000130E0000-memory.dmp

memory/1712-22-0x00000000132F0000-0x0000000013310000-memory.dmp

memory/1712-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1712-23-0x00000000130C0000-0x00000000130E0000-memory.dmp

memory/1712-24-0x00000000132F0000-0x0000000013310000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-13 10:36

Reported

2024-11-13 11:06

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1810s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 936 set thread context of 224 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 162.19.224.121:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 121.224.19.162.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/224-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-8-0x00000000021E0000-0x0000000002200000-memory.dmp

memory/224-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-16-0x00000000125B0000-0x00000000125D0000-memory.dmp

memory/224-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-21-0x0000000012E20000-0x0000000012E40000-memory.dmp

memory/224-22-0x0000000013050000-0x0000000013070000-memory.dmp

memory/224-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/224-23-0x0000000012E20000-0x0000000012E40000-memory.dmp

memory/224-24-0x0000000013050000-0x0000000013070000-memory.dmp